I'm going to reply to myself, after several more hours of digging, I
discovered that although it wasn't true at the time I posted the above
question, eventually, as with the original post from Lachlan Musicman
<
https://lists.fedorahosted.org/archives/users/463432472638105722575414590...;,
the WebUI died, and that meant no self-service for the rest of the team.
And that made it into an emergency.
So, I fired up my LDAP editor (I've been using JXWorkBench) and went to
eradicate all the traces of the failed replica. Which fixed the issue; and
I'm fairly sure there aren't any lingering effects. I think.
But this was the first time I've used the editor to actual effect any
changes to things; and I'm going to post the underlying question that
raised in a new thread...
This seems to have bitten at least a few of us; I'd be happy to know how to
file a bug if there's a useful contribution there. Thanks!
On Sat, Jan 5, 2019 at 4:47 PM K. M. Peterson <kmp.lists(a)gmail.com> wrote:
Hate _hate_ to open old threads, but...
I'm also seeing this. I've been trying to add another replica to our
topology (this would be on a different subnet than the current pair); the
ipa-replica-install command has been failing for various reasons that
I've been fixing or circumventing and I've just been re-spinning the new
server between each attempt to keep the environment clean. The latest
death was apparently because of an issue with /etc/openldap/ldap.conf
which I was debugging and was about to remove the server from IPA and reset
it.
However, I'm not able to do so. All attempts are met with "ERROR:
invalid 'PKINIT enabled server': all masters must have IPA master role
enabled" - in fact, even poking around trying to do an ipa config-show
(on either of the current masters) just generates that error. I've also
tried uninstalling the replica and client on the new host, and it seems to
have completed successfully, but I can't re-enroll it either, so it's "dead
to the other masters", except...
There is nothing I want to do at this point other than another iteration
on my problem adding another replica. There's no data on replica, nothing
is relying on it, and I've tried as hard as possible to make the
installation entirely vanilla. I haven't manually enabled PKINIT;
ipa-pkinit-manage status on the current masters says it's enabled. As
for the server roles, server-role-find shows the two current servers and
the new one; the latter's "role status" for CA Server is
"absent". I've
had issues before where I've had to enumerate the RUVs and remove them
(done that). Just want the references to this to go away, so that I can
keep working towards the most minimal and concise installation.
Any ideas on where I can go to get out of this situation? Many thanks!
(Everything completely updated to *4.6.4-10.el7.centos, initial
installation was about one year ago, domain level 1; tried all the ipa
server del and ipa-replica-manage del suggestions which aren't working for
me this time, no AD integration...)
On Tue, Nov 20, 2018 at 1:48 AM Brian Topping via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
> Oh, forgot to mention, current domain level is `1`...
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>